Clouds in a Storm - Cloud Computing and Civil Proceedings

When organisations are looking at moving to cloud-based solutions, they are likely to consider most risks and challenges before making the move.

January 2011

When organisations are looking at moving to cloud-based solutions, they are likely to consider most risks and challenges before making the move. One set of issues that organisations are unlikely to consider until the move has already been made – and which are unlikely to drive any decision regarding cloud solutions - are those arising when organisations become party to litigation proceedings in the English courts. The storage of documents by cloud providers gives rise to a number of implications for the conduct of civil proceedings, and the key issues are highlighted below.

The duty of disclosure

A cloud customer who is party to proceedings in England will, at some point during those proceedings, be under a duty of disclosure. The duty requires a party to list all documents in its control that currently exist or have previously existed and which: (i) adversely affect its case; (ii) adversely affect the case of another party in the proceedings; (iii) support another party’s case; or (iv) it is required to disclose under some other procedural rule (the “Disclosure Criteria”). Documents will be within a party’s control if: (i) it is or was in that party’s physical possession; (ii) if that party has or previously had a right to possess the document; or (iii) if the party has or has had a right to inspect or take copies of it.

The definition of a ‘document’ for these purposes is very wide and includes anything in which information of any description is recorded. As such, any electronic data held by a cloud provider on behalf of a party to proceedings that meets the Disclosure Criteria should be disclosed.

Volume of data

One of the advantages of cloud-based solutions for many customers is the high volume of electronic data that can be stored at a relatively low cost. The implication of this for disclosure is that there may be a large number of documents that are theoretically available for the lawyers to trawl through.

However, the cloud customer will not have to review all of the electronic data stored within the cloud, and is only required to make a reasonable search for electronic data that meets the Disclosure Criteria. The parties must discuss and agree at an early stage of proceedings what will constitute a reasonable search.

Generally, parties are required to undertake a search that is proportionate in light of the nature of the proceedings and the issues at large. Any party entering into discussions regarding the ambit of a search of electronic data should ensure they are fully briefed on the data that may be held by a cloud provider and how accessible the data is, and they may wish to have an IT expert present to assist it during these discussions.

A party will need to understand how it can undertake a search of the electronic data stored within the cloud, any limitations on that search and the cost implications of undertaking the search. Clear and specific evidence of any problems the cloud customer may face in searching for electronic data should be presented, but the problems must not be overstated.

Ultimately, the fact that electronic data is held within a cloud-based model may not necessarily be a disadvantage when it comes to disclosure. There are a number of sophisticated tools available to assist parties to proceedings in searching electronic data for disclosure. If a party’s cloud provider is able to provide access to the data in a format that can be processed easily by such tools - or even offer these tools themselves - this is likely to save significant time and resource in proceedings.

Document retention

As soon as proceedings are contemplated, all potentially disclosable data must be preserved. This includes all forms of electronic data which would otherwise be deleted in accordance with a document retention policy or in the ordinary course of business. It is therefore vital that cloud consumers not only ensure that data in their possession is preserved but also that data continues to be stored within the cloud.

Ideally, a cloud customer should, during its initial due diligence process before entering into an agreement for cloud-based services, investigate: (i) whether its preferred supplier can apply different rules to its data in the event that litigation is contemplated; and (ii) the speed at which changes to document retention procedures can be made. If these issues are not considered before moving to the cloud, discussions with the cloud provider should be commenced at an early stage in proceedings.

Application for third party disclosure

In English proceedings it is possible for a party to apply to the court for the disclosure of relevant data from a person who is not a party to the proceedings. So, a party could apply directly to a cloud provider for disclosure of data rather than to the cloud customer who is involved in the proceedings. In these circumstances, the cloud provider would be required to disclose relevant data in its control.

When entering into an agreement for the provision of cloud services, a party should therefore take appropriate advice as to how to limit or avoid the cloud provider having control over the electronic data being stored, with a view to limiting the risk that a cloud provider would be required to disclose such data. Cloud customers should also ensure that their providers are obliged to inform them in the event that any disclosure request is made. Agreeing search parameters with the other party to the proceedings early on is also likely to reduce the risk of a third party disclosure order being made.

Although there are important issues to consider, the use of cloud-based services need not necessarily make things more difficult for a party under a duty of disclosure. However, a good knowledge of the particular cloud services and the practicalities of searching for data in that cloud will be crucial to any cloud user during a disclosure exercise.